Securing your Empire C2 with Apache mod_rewrite

Background:

Christmas came early this year for red teamers with the release of the Red Team Infrastructure Wiki. It debuted right after an amazing red team infrastructure presentationby Jeff Dimmock and Steve Borosh. I can’t even begin to get into how invaluable the wiki is when designing and securing your infrastructure, check it out for yourself to see what I mean.

One of the key design factors emphasized by the wiki is the use of redirectors in your infrastructure setup. Redirection can be applied to pretty much every function of your infrastructure; serving payloads, avoidingIR and protecting your C2 among many others. Losing a C2 server can be incredibly costly so applying redirection to secure and obscure your C2 server(s) should be a top priority in your design process.Jeff Dimmock already wrote a detailed postabout protecting Cobalt Strike C2 traffic with Apache mod_rewrite redirection and Julian Catrambonewrote a cool script to automate the process. I’m here to babble a little about redirectors and pirate some of their great work; this time with Empire as the C2 server of choice.

The Problem:

The “typical” C2 server setup will look something like this:

The problem? Your C2 server is completely exposed and if it gets burned you’re going to have little choice but to take it all down and start setting up new infrastructure; a situation no sane pentester/red teamer wants to find themselves in during an engagement. The solution? C2 redirection.

Redirection:

Generally speaking, traffic redirection can be accomplished in 2 ways:

1. Dumb Pipe Redirection:

ALL traffic coming through your redirector is forwarded to your C2 server. This kind of redirection has some merits; the real location of your C2 server isn’t revealed. The downside is it’s still pretty easy for the blue team to identify suspicious activity since all unwanted traffic from any defensive solutions or curious incident responders will be forwarded to your C2 and if some of your C2 server side indicators raise any red flags then you’re probably going to find yourself in a troublesome situation in no time.

2. Conditional Redirection:

Conditional redirection allows you to configure your redirector with very specific parameters that it will check all incoming traffic for before forwarding it to its destination. This means you can configure your redirector to allow only the traffic you want to get through to your C2 server and redirect all unwanted traffic to another destination of your choice e.g. whatever site you may be spoofing for your assessment.

Apache mod_rewrite:

Apache mod_rewriteis a powerful Apache webserver module that’s going to allow us to use conditional redirection to protect our Empire C2 server. Jeff Dimmock has written an awesome blogpost seriesdemonstrating just how useful mod_rewrite can be during various phases of red team operations. But before we get to setting up our redirection we need to determinewhat conditions our redirector is going to use to distinguish valid C2 traffic from everything else.

Empire Communication Profiles:

Empire’sCommunication Profiles allow operators to configure what their C2 traffic will look like on the wire. For instance; operators can configure their Empire C2 traffic to look like “normal” web traffic such as search engine traffic, video streaming or even abnormal traffic copied from known malicious actors. Communication profiles are Empire’s equivalent to Cobalt Strike’s Malleable C2 Profiles.

There’s already plentyofmaterial out there covering both Communication Profiles and Malleable C2 so I won’t get into them. I only mentioned them because our redirector is going to use the Communication Profile we configure our Empire C2 server with to determine what valid C2 traffic is and what isn’t.

With that said, we can get right into setting up our redirection.

Empire C2 Redirection with Apache mod_rewrite:

Prerequisites:

We’ll need 2 servers; a redirector (Apache webserver) and a C2 server (Empire). The setup I’m using is illustrated below:

1. Install Apache and enable mod_rewrite:

Once Apache is installed you’ll need to locate the code block below in your Apache configuration file (should be /etc/apache2/apache.conf) and change the “AllowOverride None” to “AllowOverride All”.

The easiest way to configure Empire with a Communication Profile is to change the “DefaultProfile” property in your Empire listener configuration. Just paste a Communication Profile of your choice into the respective field and fire up your listener. I’ll be using the Zeus CommunicationProfile.

NOTE: The “Host” listener property should be set to the IP address/domain of your redirector.

3. Generate mod_rewrite rules:

This postdetails how you can generate mod_rewrite rules to match a Malleable C2 Profile of your choice. The process with Empire’s Communication profiles is identicalso there’s no need for me to walk through it. The generated rules for the Zeus profile I’m using can be found below.

Once you have your rules you can write them to a .htaccess file in your webserver root directory; /var/www/htmlin my case. This sitelets you check the syntax of your mod_rewrite rules for errorsbefore placing them in a .htaccess file.

NOTE: .htaccess files should be configured with 644 permissions.

5. Restart webserver:

All that’s left is to restart Apache and effect the new changes.

1

sudo service apache2 restart

6. Test it:

Time to see if our redirector is working. I infected the Windows 7 box (192.168.56.100) with a Powershell launcher.

This is what the traffic looks like from the target’s side.

What happens if our redirector receives any invalid C2 traffic from a suspicious incident responder browsing to its IP?

They get redirected to the site (example.com) we specified in our mod_rewrite ruleset. Looks like everything is working like it should 🙂

Sleight – Automated Redirector Setup:

If you have to do the same thing more than once you should automate it, right? I wrote a messy Python script to automate the process above and save myself a little time in the future. Once you’ve configured your Empire C2 and gotten yourself a server/VPS to use as a redirector, simply download Sleight; run it with administrative privileges, feed it a Communication Profile, follow the prompts and you should have a functional Empire HTTP C2 redirector up and running in no time. Playing with Empire HTTPS redirection is on my to-do list. I’ll be sure to blog about it once I do. The images below show Sleight setting up a fresh redirector using the Comfoo profile.

Empire Comfoo Listener

Redirected Comfoo Traffic

NOTE: Sleight is a “quick and dirty” configuration script intended to be used during the initial setup of a dedicated redirector VPS. If you already have an operational Apache server with a custom mod_rewrite rule-set, you’ll be better off using Sleight to only convert an Empire Communication Profile into mod_rewrite rules and then add them to your .htaccess file yourself.

Conclusion:

Applying redirection to your C2 traffic is just one smallbut crucial step in hardening and obscuring your red teaminfrastructure. I hope this post was helpful but a lot more can still be done to prevent your infrastructure from getting flagged by incident responders and any other defences you’ll find yourself going against. I’d highly recommend configuring your Empire C2 server with a firewall that only allows HTTP traffic from its assigned redirector(s). Check out the Red Team Infrastructure Wikiand the resources below for more tips. Play safe.